43 lines
2.1 KiB
Text
43 lines
2.1 KiB
Text
|
*** cdist #6: Glueing it together
|
||
|
**** Lecture content
|
||
|
***** Objective
|
||
|
- Apply learnings from the previous cdist sessions
|
||
|
***** Steps 1: *__all_in_one* (1.25h)
|
||
|
- Create a new type named *__all_in_one*
|
||
|
- Decide yourself whether it is a singleton or not
|
||
|
- Reason why in your cdist.org file
|
||
|
- It should work on alpine, debian and fedora
|
||
|
- It accepts the following parameters:
|
||
|
- *--with-x* (boolean)
|
||
|
- *--extra-packages* (optional multiple)
|
||
|
- On Alpine, it should install netcat-openbsd and tshark
|
||
|
- On Debian, it should install netcat tshark
|
||
|
- On Fedora, it should install nmap-ncat wireshark-cli
|
||
|
- On all operating systems install socat sipcalc sudo
|
||
|
- If the detected operating system is neither
|
||
|
Alpine/Debian/Fedora, output an error message and abort the
|
||
|
manifest with exit code 1
|
||
|
- Additionally install all packages specified by the *--extra-packages* parameter
|
||
|
***** Steps 2: *__firewall* (1.25h)
|
||
|
- Create a new type *__my_firewall*
|
||
|
- Add a *type explorer* to find out whether nft is present on
|
||
|
the target system
|
||
|
- Add a required parameter named *file*
|
||
|
- If the type explorer does not detect nft on the target system,
|
||
|
abort with an error message
|
||
|
- Deploy the specified file to */etc/my-nftables*
|
||
|
- Add a *type explorer* that reads the current nft rules
|
||
|
- If the rules are different on the target host, apply the new
|
||
|
ruleset by generating code in *gencode-remote*
|
||
|
- If the filename specified by the *file* parameter is *-* (the
|
||
|
minus sign), then the type should read from *stdin*
|
||
|
***** Step 3: manifest (0.5h)
|
||
|
- Create a new manifest in the folder that contains the initial manifest
|
||
|
- Name the new manifest *firewall*
|
||
|
- Source the *firewall* manifest in the *initial* manifest
|
||
|
- In the *firewall* manifest, match on *localhost*
|
||
|
- Install nftables
|
||
|
- Use the *__firewall* type
|
||
|
- Use correct *require* parameter to ensure that nftables is
|
||
|
installed before the *__firewall* type is run
|
||
|
|